Tag Archives: PII

Breach Brief – T-Mobile

Mobile phone service provider T-Mobile has announced a data breach of its customer information.

According to a post on the carrier’s website the hack was discovered on August 20 by its cybersecurity team. The team shut down unauthorized access to certain information and T-Mobile quickly reported the incident to authorities. T-Mobile reported that the attackers did not get access to financial information, social security numbers, or passwords. However the company did admit that some personal information may have been compromised including name, billing zip code, phone number, email address, account number and account type.

In a statement T-Mobile said, “Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information. We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”

T-Mobile did not report any exact number of customers affected by the breach. But a spokesperson for the company told Motherboard that it impacted roughly “3 percent” of its 77 million customers amounting to around two million people. “Fortunately not many,” the spokesperson said in a text message, adding she could not say the exact number, reported Motherboard.

T-Mobile is the third largest cell service provider in the U.S. with 77 million customers. The company has about half the customers of Verizon and AT&T with 152 million and 147 million customers respectively.

Breach Brief – Macy’s, Adidas

Leave a reply

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach. Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

Breach Brief – Exactis

Leave a reply

Who is Exactis and what do they know about me? That is the question you need to be asking. No, you haven’t heard of Exactis but they may have exposed some of your most personal information to hackers. You, along and the everybody else in the U.S.

Exactis is a major data gathering company based in Palm Coast, FL. The Exactis website describes the company as a compiler and aggregator of business and consumer data. Exactis claims to have a store of information it refers to as a “universal data warehouse” that contains 3.5 billion consumer, business and digital records. Exactis claims these records are updated monthly. According to Exactis’ LinkedIn profile it is a privately owned company with only 10 employees. Exactis gathers this information from cookies on personal computers. credit and debit transaction records and other sources.

Now you should ask what do they know about me? The exposed records contains more than 400 different characteristics that include whether the person smokes, what their religion is and whether they have dogs or cats. But, according to Wired.com some of the information is inaccurate or outdated.

Your next question is; how did this happen? According to security researcher Vinny Troia the company leaked the data of 340 million individuals by storing it on an unsecured server accessible through the internet. According to Wired.com Troia discovered what he describes nearly two terabytes of data.

Troia reported the data breach to both Exactis and the FBI. Exactis reacted by securing the data so that it’s no longer accessible.

But now ask; did criminals know this? Did they access the information? The answer to that question is unknown. But since Exactis has not admitted to the data breach and it is no longer accessible no one really know how many people are affected. According to Wired.com Troia found two versions of the database each holding an estimated 340 million records. This number breaks down into 230 million consumers records and 110 million on business contacts.

But Marc Rotenberg, the executive director of the non-profit Electronic Privacy Information Center said, “The likelihood of financial fraud is not that great , but the possibility of impersonation or profiling is certainly there. Rotenberg stated that while some of the data is available in public records, much of it appears to be the sort of non-public information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. “A lot of this information is now routinely gathered on American consumers,” Rotenberg adds.

Breach Brief – Panera Bread, Saks Fifth Avenue, Orbitz

Leave a reply

Panera, a popular bakery-cafe has admitted its website was leaking a data. According to Brian Krebs of KrebsOnSecurity.com Panera allegedly failed to fix issues with its website it knew about for nearly eight months. Panera Bread has has over 2,100 outlets nationwide.

Cyber security researcher Dylan Houlihan notified the company of a data leak in early August 2017. Mike Gustavison, Panera director of information security was informed of the flaw and said the company “working on a resolution.” Despite this statement the flaw was not repaired.

Data records that leaked out contain the names, email and physical addresses, birth dates and the last four digits of the credit card numbers of Panera customers.

Only after Krebs spoke directly with Panera chief information officer John Meister was the site shut down briefly and the data secured. The number of customers whose data may have been compromised is estimated at 37 million.

A statement from Panera Bread said; “Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

The company urges its customers to alert for any fraudulent activity in the bank or credit accounts.

Saks Fifth Avenue/Lord & Taylor

Saks Fifth Avenue and Lord & Taylor reported a data breach affecting millions of its customers.

According to the company “a well-known ring of cybercriminals” had stolen more than 5 million credit and debit card numbers from customers. According to the New York Times the cyber criminals were able to pull off this massive heist by implanting software into the cash register systems.

Although it is early in the investigation the the hack appears to have only affected card numbers and not social security or driver’s license numbers.

The majority of the affected credit cards appear to have been used at Saks and Lord & Taylor stores between May 2017 and March 2018 and only in the New York-New Jersey areas stores.

Both Saks 5th Ave. and Lord & Taylor are owned by the Canadian company Hudson’s Bay. The company issued the following statement;“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America. We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Orbitz

The popular travel booking site Orbitz announced that its legacy site, Amextravel.com, was compromised due to a data breach. Data of 880,000 customers was compromised from January 1, 2016 through December 22, 2017.

According to the company credit or debit card information was stolen along with personal information that includes the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender.

Orbitz plans to notify all customers who’s information may have been compromised and is providing potential victims a free year of credit monitoring services. Customers can contact Orbitz for the free service either online or by calling 855-828-3959 toll-free.

ALERT! – Cellphone Port-Out Scam – ALERT!

Leave a reply

Cyber criminals have developed a new scam targeting your cell phone. Known as the ‘port-out scam’ criminals are are using stolen information to trick cell phone carriers into transferring legitimate phone numbers to new devices. The result is leaving consumers with dead cell phones and vulnerable to even more crimes.

Your cell phone is probably your single most important technology device. It contains information about nearly every facet of your life. African-Americans are the leading consumer of mobile technology making this scam extremely dangerous to our community.

Porting is a standard practice in the cellphone industry. A consumer can port their number to a new service provider or new device usually in minutes. With this scam, also known as the “SIM-swap scam” a criminal tricks a cellphone service provider into transferring your legitimate phone number to a phone under the scammer’s control. Once the number is ported, all calls and text messages sent to that number go instead to the scammer’s phone. This allows the scammer to bypass security features, like two-factor authentication, used to protect your sensitive email, banking, and social media account information.

Scammers use stolen data like your the last four digits of a Social Security number, a phone number, name on the account and the victim’s address. All of this information is easily obtainable on the dark web thanks to repeated data breaches of consumer information.

Using the stolen data the scammer contacts the wireless provider pretending to be the legitimate owner. After the scammer contacts the cell phone company they can easily change the PIN if one is not already set up. If you do have a PIN set up the scammer claims not to remember it then uses the last four of the victim’s social security number and mailing address. The scammer’s next move is to request the wireless company port “their” number to a different phone. Once the provider switches the victims’ phone number to the criminal’s phone the victim’s phone will go dead. The scammer then uses the phone to reset passwords or gain entry to accounts that use two-factor text authentication. Criminals frequently target bank accounts. Once a bank account is accessed the scammer can quickly and easily transfer funds to an account that the scammer controls.

This scam is the latest and fastest growing cyber scam and can be financially devastating to victims. Cellphone service providers have begun taking steps to protect their customer’s accounts. T-Mobile, sent a text to notify customers to set up a port validation feature. This ensures that fraudsters could not port out your phone number without providing a passcode.

Fraud.org advises consumer to use the following steps to keep from being victimized by this scam.

Contact your carrier and ask them to add a unique personal identification number (PIN) to your account. This PIN will need to be provided any time you wish to make a change to your account, including upgrading your cell phone. This extra layer of security will help block any would-be scammer from running the port-out scam on your phone. The process for adding a PIN depends on your provider.
- AT&T – Log into your ATT.com account, go to your profile by clicking your name, and under the wireless passcode drop down menu, click on “manage extra security.”
- T-Mobile – Call 611 or (800) 937-8997 from your cell phone to speak with a customer service agent.
- Sprint – Sprint automatically requires their customers to set up a PIN when an account is opened.
- Verizon – Visit vzw.com/PIN or call (800) 922-0204.
Always use good password hygiene. Regardless of account, choose a password that is unique, complex, and contains upper- and lower-case letters, numbers, and symbols. It is critical not to reuse passwords across multiple accounts. That way, if one account becomes compromised, then every account with that password can become compromised as well. For the best password security, use a password manager that creates and remembers random passwords.
Consider alternatives to text two-factor authentication. For your most important accounts, like your online bank account, see if they allow other versions of two factor authentication such as a security key or or a third-party authenticator app like Authy.
Be suspicious of emails or phone calls from people purporting to be from your bank. Remember, your bank will never ask you to enter confidential information in an email.

If, despite these steps, you become a victim you should:

Act quickly! Notify your cellphone provider and report any fraud to your bank. Quick action can minimize the damage the scammer could inflict. Your cellphone provider can turn off your phone number and prevent scammers from using that number to bypass two-factor text authentication.
Notifying your bank the moment you notice unauthorized charges or that you are at risk for fraudulent two-factor authentication can also minimize your liability.
File a report at Fraud.org using their secure online complaint form. They will share your complaint with their network of law enforcement and consumer protection agencies who can investigate and help put fraudsters behind bars. Then make sure you file a police report at your local police.

Breach Brief – TIO Networks

Leave a reply

TIO Networks, owned by PayPal has suffered a data breach that may have compromised the personally identifiable information or PII of up to 1.6 million customers. TIO suspended operations on November 10th to investigate “security vulnerabilities” in its payment platform.

According to PayPal customer information compromised in the breach include names, addresses, bank-account details, Social Security numbers and account login details.

TIO Networks is a Canadian company that processes payments from under served or un-banked communities. In 2016 the company processed more than $7 billion in consumer bills. TIO serves 14 million consumer bill pay accounts. Many of these consumers are poor or receive some form of public assistance using state issued EBT Cards. According to the Federal Deposit Insurance Corporation(FDIC) about 7 percent of the U.S. households are considered un-banked

The company has more than 10,000 supported billers. TIO allows establishments like convenience stores, supermarkets and even liquor stores to quickly process payments to telecom, wireless, cable and utility companies. TIO’s offers more than 900 self-service kiosks and approximately 65,000 retail walk-in locations as well as mobile and web solutions.

PayPal purchased TIO Networks in July for $238 million in cash. According to PayPal its payments platform is not impacted in any way. TIO systems are completely separate from PayPal and PayPal’s customers’ data remains secure.

TIO is working with the companies it services to notify potential victims affected by the breach. These consumers will be contacted directly and receive instructions on how to sign up for credit monitoring offered by PayPal.

Understanding Medical Data Breaches

Leave a reply

Medical data breaches are constantly in the news. According to iHealthBeat.org 1 in 10 U.S. residents have been impacted by a medical data breach. It is highly likely that millions of African-Americans have been the victim of a medical data breach and probably don’t know it. The sad news is that this has become common.

We need to understand a few things about data breaches. First, what is a data breach? What kind of data breaches are there? How many people are affected and how do you fight back if you think your data has been compromised.

Put simply a data breach is an incident where sensitive, protected or confidential information has been exposed, stolen or utilized by unauthorized individuals often to commit some type of crime.

What kind of data breaches are there? Data breaches may expose personal health information (PHI) this is a medical data breach. Personally identifiable information (PII) is information that, on its own or combined with other information can be used to identify, contact, or locate a person, or identify an individual in context. Finally there is a data breach that exposes trade secrets or intellectual property. This usually affects businesses and sometimes falls known as industrial espionage.

Medical data breaches often involve massive numbers of people and personal information records. Here are the largest medical data breaches so far this year. Look carefully, your insurance company may be on the list.

Keep in mind that medical insurance companies are not alone when it comes to data breaches. Hospitals and health service providers are a prime target for medical data hackers. The HIPAA Act covers most medical facilities. HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The law is intended to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

According to Datapipe.com these are the largest HIPAA data breaches of 2014.

Community Health Systems, 198 hospitals in 29 states, 4.5 millions data records compromised.
Xerox State Healthcare, Medicaid systems management, 2 millon records compromised.
Sutherland Healthcare Solutions, medical contractor, 342,000 records compromised.
Touchstone Medical Imaging, diagnostic medical imaging, 300,000 records compormised.
Indian Health Service, federal health program for native and Alaskan Indians, 200,000 records compromised.
NRAD Medical Associates, multi-specialty medical practice, 100,000 records compromised.

According to a report released by KPMG 81 percent of health insurance providers and hospitals have had a data breach. The survey revealed,

15 percent of healthcare organizations have no one whose sole responsibility is information security.
23 percent do not have a security operations center to identify and evaluate threats.
55 percent say they have a hard time staffing their organization.

Why is medical data so valuable? Medical records are ten times more valuable to hackers than your credit cards.

Your medical information is a gold mine. You probably have medical information spread over several doctor’s offices, medical services and hospitals including your dentist, pharmacy and physical therapist. These records contain information such as your Social Security number, address and phone number, email, next of kin information, phone numbers, information about your children or spouse, payment information, insurance information, and much more.

Hackers use stolen medical and insurance data to create fake IDs, buy medical equipment or drugs that they can re-sell and file fraudulent claims with insurance providers. Hackers also have more time to use stolen data to commit fraud because medical identity theft is not immediately apparent. And mostly because these records are easy targets. According to the KMPG report hospitals and medical insururance companies are poor protectors of your information. According to the security firm Symantec health care providers saw a 72 percent increase in cyberattacks from 2013 to 2014, Health care companies are required by law to publicly disclose big health data breaches. There were more than 270 such disclosures in the last two years.

So how can African-Americans avoid the theft of their medical information?

If your wallet is lost or stolen, make sure your insurer(s) are notified along with your financial institutions.
Carefully examine all medical bills and insurance statements you receive. Look for fees from health care providers you do not recognize or statements describing benefits paid out for services you did not obtain.
Consider an identity protection service which will help you detect most kinds of identity theft, including medical, much earlier than you might on your own and assist you through the fraud resolution process if your information is stolen.
Always be alert to strange phone calls or emails from people asking medical questions or insurance questions, especially if you do not know the company.
Alert your caregivers of any suspicious calls or activity regarding your care.
Keep a close watch on your credit and banking resources. Alert you financial institutions of any suspicious or fraudulent activity.
Take full advantage of credit monitoring services if offered.

The loss of medical data can have a devasating personal impact. An unlucky victim may have their medical insurance coverage cancelled or suspended due to fraudulent claims. Insurance premiums may skyrocket. Others may have their identity stolen completely. Changes, intentional or accidental, to medical records could result in mis-diagnosis or mis-treatment of illnesses. Pay attention to data breach notifications. The African American Cyber Report is an excellent source for the latest breach notifications.

Know you know